[4862] in WWW Security List Archive
Re: Packet Filters or Proxy Firewalls?
daemon@ATHENA.MIT.EDU (BVE)
Thu Mar 20 20:57:02 1997
Date: Thu, 20 Mar 97 17:35:02 EST
From: bve@quadrix.com (BVE)
To: sfuze@escape.com
In-Reply-To: <Pine.BSI.3.91.970319204045.9887G-100000@escape.com> (message from Vinnie Vedi Dolavimus on Wed, 19 Mar 1997 20:46:36 -0500 (EST))
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
From: Vinnie Vedi Dolavimus <sfuze@escape.com>
First things first -- having a packet filtering router alone is really
about as much security as having no security at all.
Ummm... I would have to *VEHEMENTLY* disagree with this!!!
Case in point: How many exploits rely on r* services? Yes, you can turn them
off on all your machines, but if you made all your machines competely secure,
you wouldn't need a firewall, would you? What happens when you block packets
to tcp 512,513 and 514? I whole class of security holes is eliminated, even if
someone breaks into your system some other way, and re-activates those r*
services you thought you'd turned off....
What about sendmail? Of course, you proxy your mail through smapd, qmail or
some such, but what stops someone from hitting the old sendmail 5.x that has
accidentally been left on one of your machines? (A brand new Netra 2.0 I
bought last year had just this problem....) Why, your filtering routers, of
course! They only allow smtp to your proxy machine, and a whole bunch of
problems go away!
I think that a reasonable person would have to admit that packet filtering
routers are a *significant* step up from no security at all. ..And with basic
anti-spoofing filters, they allow some other security tools to be much more
effective, such as tcpd. When a company doesn't spend the $$$ on a
full-fledged firewall, they are taking a chance, yes. BUT, there are other,
lower-cost ways to provide significant protection. Filter routers are among
them.
On another note, I would question your discounting of proxies, and pushing of
stateful inspection firewalls (which, by the way, resemble packet filtering
routers in many ways...). While I, personally, may prefer the risk/benefit
tradeoff of stateful inspection over full-fledged proxies, it's difficult for
me to support the concept that proxies are going away any time soon. They
provide a level of security which stateful inspection can't, at the price of
significantly greater effort being required to handle new services.
Consider carefully your "absolutes." What is right for one is not right for
another.
Finally, this is quite off-topic. Any further follow-up should be to
firewalls@greatcircle.com. I will not reply again to any mail on this topic on
www-security....
-- Bill Van Emburg
Phone: 908-235-2335 Quadrix Solutions, Inc.
Fax: 908-235-2336 (bve@quadrix.com)
Check out http://yourtown.com! (http://quadrix.com)
"You do what you want, and if you didn't, you don't"
